Reply To: Check Errors Before Uploading PHP

[shaneisme]

I find it good to check the following, with caveats below:

1) File extension
2) MIME type
3) File size

Both 1 & 2 can be faked, but I check them for use-cases where the uploader isn’t doing anything malicious and provide helpful error messages.

Now that you know those can be faked, and by what everyone has said so far about security, you’ll know that accepting uploaded files from the wild is a dangerous prospect.

At the very least, you shouldn’t believe anything that happens in your $_FILE object.

Use the built-in functions and methods PHP has to move files around once they’re uploaded. Rename the file using a random string, storing the original in your DB. Move the file into a folder that is above the application, out of reach of anyone that would want to access it (if they could find out the new random file name).

Even this is the bare minimum…